USPS, Tolls, and Beyond: Unpacking Common Smishing Scams
Ever get a text that seems innocent enough, like the USPS needs your help with a package delivery address? Then you spot something weird: the phone number starts with a country code like +63, from the Philippines. "Wait," you think, "the USPS doesn't have facilities there, do they? And how do they know my phone number but not my address?"
These are red flags for a growing threat called smishing, a combination of SMS and phishing. It's when scammers send fraudulent text messages to trick you into giving up your personal information or money.
Don't Fall for the Bait
The U.S. Postal Inspection Service (USPIS) confirms that these package tracking texts are almost always scams. Here's what you need to know:
- Don't click the link! It's designed to steal your info or install malware.
- The USPS won't text you out of the blue. They only send text messages or emails if you've already requested updates for a specific package with a tracking number.
- Legitimate USPS texts will never include a link.
So, if you didn't explicitly ask for text updates related to a package, assume it's a scam, especially if it contains a link. The same goes for those SMS notifications about toll violations, particularly from states you've never visited. It's all part of the same deceptive game.
Why Are Texts So Tricky?
While many people are wary of suspicious emails, text messages often receive an undeserved level of trust. This is known as a "social engineering" attack and makes SMS an ideal playground for scammers. As we've discussed before in "Are Companies Negligent for Still Using SMS OTPs?", SMS has simply never been a secure form of communication. Scammers exploit this trust, sometimes even impersonating known phone numbers, to trick you.
Scam for Rent: Smishing as a Service
What makes these scams so prevalent is that they're offered as a subscription service that bad actors can rent, much like a streaming subscription. For a monthly fee, criminals gain access to the necessary infrastructure to send texts to thousands globally and collect their ill-gotten gains. As Resecurity explains in their post, "Smishing Triad is Now Targeting Toll Payment Services in a Massive Fraud Campaign Expansion", these bulk SMS services provide an easy-to-use interface for committing fraud at scale, often taking a cut of the profits. This "smishing-as-a-service" model lowers the barrier to entry for cybercriminals, fueling the surge in these deceptive texts.
Protect Yourself from Smishing
The U.S. Federal Communications Commission (FCC) offers excellent advice to help you avoid smishing scams:
- Never click links, reply, or call numbers you don't recognize.
- Don't even respond with "STOP." This just confirms your number is active.
- Delete all suspicious texts immediately.
- Keep your devices updated. Ensure your smartphone's operating system and security apps are current.
- Consider anti-malware software for an extra layer of protection.
- Use multi-factor authentication (MFA) for all sensitive accounts (bank accounts, health records, social media, etc.) to safeguard your personal information.
Stay Vigilant
Don't let a deceptive text put your privacy or finances at risk. The key to staying safe from smishing is skepticism and adherence to best practices. Always verify suspicious messages through official channels, and never click unknown links. By taking these simple steps, you become your own best defense against these prevalent scams.
Remember, we may not have anything to hide, but everything to protect.
